Skip to content

Encryption

How do I configure chezmoi to encrypt files but only request a passphrase the first time chezmoi init is run?

The following steps use age for encryption.

This can be achieved with the following process:

  1. Generate an age private key.
  2. Encrypt the private key with a passphrase.
  3. Configure chezmoi to decrypt the private key if needed.
  4. Configure chezmoi to use the private key.
  5. Add encrypted files.

First, change to chezmoi's source directory:

$ chezmoi cd

Generate an age private key encrypted with a passphrase with the command:

$ age-keygen | age --passphrase > key.txt.age
Public key: age193wd0hfuhtjfsunlq3c83s8m93pde442dkcn7lmj3lspeekm9g7stwutrl
Enter passphrase (leave empty to autogenerate a secure one):
Confirm passphrase:

Use a strong passphrase and make a note of the public key (age193wd0hfuhtjfsunlq3c83s8m93pde442dkcn7lmj3lspeekm9g7stwutrl in this case).

Add key.txt.age to .chezmoiignore so that chezmoi does not try to create it:

$ echo key.txt.age >> .chezmoiignore

Configure chezmoi to decrypt the passphrase-encrypted private key if needed:

$ cat > run_once_before_decrypt-private-key.sh.tmpl <<EOF
#!/bin/sh

if [ ! -f "${HOME}/key.txt" ]; then
    age --decrypt --output "${HOME}/key.txt" "{{ .chezmoi.sourceDir }}/key.txt.age"
    chmod 600 "${HOME}/key.txt"
fi
EOF

Configure chezmoi to use the public and private key for encryption:

$ cat >> .chezmoi.toml.tmpl <<EOF
encryption = "age"
[age]
    identity = "~/key.txt"
    recipient = "age193wd0hfuhtjfsunlq3c83s8m93pde442dkcn7lmj3lspeekm9g7stwutrl"
EOF

age.recipient must be your public key from above.

When you run chezmoi init --apply to generate the chezmoi's config file, you will be prompted for your passphrase to decrypt the private key:

$ chezmoi init --apply
Enter passphrase:

At this stage everything is configured and git status should report:

$ git status
On branch main
Untracked files:
  (use "git add <file>..." to include in what will be committed)
    .chezmoi.toml.tmpl
    .chezmoiignore
    key.txt.age
    run_once_before_decrypt-private-key.sh.tmpl

nothing added to commit but untracked files present (use "git add" to track)

If you're happy with the changes you can commit them.

Add files that you want to encrypt using the --encrypt argument to chezmoi add, for example:

$ chezmoi add --encrypt ~/.ssh/id_rsa
Back to top